New Android security flaw lets hackers seize control of apps — how to stay safe
Editor’s Note: We have updated this article to highlight the fact that the vulnerable apps in question have since been patched by their respective developers. Also, we’ve changed the headline to address that the apps themselves are not malicious and don’t need to be deleted. We’ll update this story as we learn more.
Microsoft is sounding the alarm about a recently discovered critical security vulnerability on Android named “Dirty Stream” that can let malicious apps easily hijack legitimate apps. Worse still, this flaw impacts multiple apps with hundreds of millions of installs. If you have one of the best Android phones, here’s what you need to know to protect your data.
The vulnerability relates to the ContentProvider system prevalent across many popular Android apps, which manages access to structured data sets meant to be shared between different applications. It’s basically what lets your Android apps talk to one another and share files. To protect users and ward off unauthorized access, the system includes safeguards such as strict isolation of data, unique permissions attached to specific URIs (Uniform Resource Identifiers), and path validation security.
According to Microsoft’s alert, two vulnerable apps that have since been patched include Xiaomi Inc.’s File Manager (1B+ installs) and WPS Office (500M+ installs).
What makes the Dirty Stream vulnerability so devious is how it manipulates this system. Microsoft has found that hackers can create “custom intents,” messaging objects that facilitate communication between components across Android apps, to bypass these security measures. By exploiting this loophole, malicious apps can send a file with a manipulated filename or path to another app using a custom intent, sneaking in harmful code disguised as legitimate files.
From there, a hacker could trick a vulnerable app into overwriting critical files within its private storage space — and the results can be devastating. As BleepingComputer put it, Dirty Stream essentially turns a common OS-level function into a weaponized tool to execute unauthorized code, steal data, and even hijack an app while the user is none the wiser.
“Arbitrary code execution can…
